XML vs. JSON - My First Thoughts
The last week or two has seen a flurry of discussion about the use of JSON in web apps vs. XML. Most folks have been coming at it from a developer’s point of view - asking which has better tool support or is less bandwidth intensive or easy to use in various scenarios.
It seems to be quickly forgotten that most of this discussion all started due to a cross-site scripting vulnerability in Gmail. We’re assured that any reasonable JSON libraries will sanitize the incoming JSON before executing it. However, this is just the sort of thing that caused browser developers to disable cross-site use of XMLHttpRequest in the first place. Web users should not rely on web developers or JSON library developers to protect them from cross-site attacks. If JSON is being used to work around something that was specifically disabled in XMLHttpRequest, what does that tell you?
Comments
Comment from Sandman
Date: January 19, 2007, 9:12 am
Yeah, that’s a stupid excuse for using a technology. That said, JSON is amazing for web development. I’ve completely dropped XML from nearly all of my software development. There is the holy trilogy of configuration options: database, annotations & config files. Using XML for config options is popular in the C#/Java world, but other frameworks like RoR/Django/etc have made it obsolete. Good scripting languages like Python/Ruby make code-based configuration really enjoyable. I know I’ll never go back. Sorry for the digression. JSON for web development takes all the XML BS out of web calls and makes AJAX so much more approachable. I’m a big fan.
Write a comment